Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 23, 2024, 11:07 a.m.	April 23, 2024, 11:19 a.m.

Size	283.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`ace2b92a3208dec19577cbac84d543b2`
SHA256	`1d5fe89aae579ea253d121deb90c9a61f94ddab13ff51f58f939a57f0edab73e`
CRC32	`C43934A2`
ssdeep	`3072:KiD09rKj/em+qxnnoVL0OA18WIyXpOx9E7sFW7CsZONbo0r5EK4kwgpG:YY6mM7A18B9NFW7CswRZr5E`
PDB Path	C:\hagarired-68\jipo46_r.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check

toolspub1.exe "C:\Users\test22\AppData\Local\Temp\toolspub1.exe"
1804

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

C:\hagarired-68\jipo46_r.pdb

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 23, 2024, 11:07 a.m.	process_identifier: 1804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01b90000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory April 23, 2024, 11:07 a.m.	process_identifier: 1804 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0001ba00', u'virtual_address': u'0x00017000', u'entropy': 6.823415498808269, u'name': u'.data', u'virtual_size': u'0x015e3980'}

entropy

6.82341549881

description

A section with a high entropy has been found

entropy

0.391150442478

description

Overall entropy of this PE file is high

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Backdoor.Convagent
Skyhigh	BehavesLike.Win32.Lockbit.dh
Cylance	unsafe
VIPRE	Trojan.GenericKD.72472190
Sangfor	Trojan.Win32.Save.a
BitDefender	Trojan.GenericKD.72472190
K7GW	Ransomware ( 0053d5971 )
K7AntiVirus	Ransomware ( 0053d5971 )
Arcabit	Trojan.Generic.D451D67E
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Kryptik.HWXC
APEX	Malicious
McAfee	Artemis!ACE2B92A3208
Avast	Win32:CrypterX-gen [Trj]
ClamAV	Win.Packer.pkr_ce1a-9980177-0
Kaspersky	HEUR:Trojan-PSW.Win32.Stealerc.gen
Alibaba	Trojan:Win32/Kryptik.3f1ab1b7
MicroWorld-eScan	Trojan.GenericKD.72472190
Rising	Trojan.SmokeLoader!1.F6B2 (CLASSIC)
Emsisoft	Trojan.GenericKD.72472190 (B)
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.ace2b92a3208dec1
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
Google	Detected
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Backdoor]/Win32.Convagent
Kingsoft	Win32.Trojan-PSW.Stealerc.gen
Gridinsoft	Trojan.Win32.SmokeLoader.tr
Microsoft	Trojan:Win32/Znyonm
ZoneAlarm	HEUR:Trojan-PSW.Win32.Stealerc.gen
GData	Win32.Trojan-Downloader.SmokeLoader.0NMY1C
Varist	W32/ABRisk.QHXT-8654
AhnLab-V3	Trojan/Win.TrojanX-gen.R645870
BitDefenderTheta	Gen:NN.ZexaF.36804.rq0@aalTEebG
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack.GS
Panda	Trj/Chgt.AD
Tencent	Trojan.Win32.Obfuscated.gen
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.218559027.susgen
Fortinet	W32/Kryptik.HWMW!tr
AVG	Win32:CrypterX-gen [Trj]
alibabacloud	Trojan:Win/Kryptik.HIFL

toolspub1.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All